Clean Up Gambling has commissioned Cracked Labs to carry out a detailed investigation into data flows in the online gambling industry.

This investigation, reported in the Daily Mail, lays out the scale and depth of behavioural surveillance and data practices used by online gambling operators. It provides extensive information about the scope of the data flows and the web of third-party companies that receive that data to build detailed and intimate profiles of individuals, often without their knowledge.

Such profiles include indicators of personal vulnerability and addictive behaviours, which can then be used to target the most vulnerable.

Matt Zarb-Cousin, Director of Clean Up Gambling, said: “This use of data is far more intrusive than any proposed customer affordability checks, although the latter would be to protect consumers rather than to exploit them. Given so much data exists that could be used by operators to reduce harm, but is instead abused to advance commercial objectives, it is unfathomable that the Gambling Commission is allowing the Betting and Gaming Council, of which SkyBet is a member and funder, to lead on creating and controlling the ‘single customer view’ as a means for enforcing affordability controls.”

This investigation reveals gambling platforms operating in conjunction with a wider network of third parties. Even limited browsing of 37 visits to gambling websites led to 2,154 data transmissions to 83 domains controlled by 44 different companies that range from well-known platforms like Facebook and Google to lesser-known surveillance technology companies like Signal and Iovation, enabling these actors to embed imperceptible monitoring software during a user’s browsing experience.

A number of these third-party companies receive behavioural data from gambling platforms in real-time, including information on how often individuals gambled, how much they were spending, and their value to the company if they returned to gambling after lapsing.

During the course of the investigation, both online gambling operators and third parties were asked to provide access to the data they were processing on individual consumers, in order to understand how that information was being used.

The investigation lays out how the companies responded to those requests, finding that (i) the companies were not transparent about what data would be collected and (ii) did not disclose all data being processed. That lack of transparency makes it difficult for individuals to know what is happening with information being held about them and damages the ability of individuals to exercise their rights.

Gambling disorders are characterised by repetitive traits that signal a form of addictive behaviour. The potential to exploit such traits is extremely lucrative to gambling platforms. Being able to know what individuals are playing and how to ensure continued engagement has become a reality through behavioural profiling. And the investigation shows that such behavioural profiles are being created by the industry.

For example, a request for access to personal information was made to Signal, a profiling company owned by the credit reporting giant TransUnion. In response, Signal disclosed detailed personal profiles revealing intimate gambling behaviour. The files contained 186 separate attributes for a single individual, which painted a detailed and personal portrait of their gambling behaviour, including their propensity to gamble, favourite games, and susceptibility to marketing.

The profiles also included metrics as to how much they are worth financially to the gambling companies, and categorised individuals on their inferred “value” to operators. Additionally, the investigation found that these data profiles were able to determine whether individuals have ever self-excluded.

The investigation found that Sky Betting and Gaming (SBG) made 2,154 transmissions of data to 44 different digital surveillance companies by just 37 visits to its websites. The report shows that companies such as Adobe, Signal, Facebook, and Google received the greatest number of transmissions of data. A high number of transmissions often suggest extensive behavioural profiling but even a single request can be problematic if it transfers intimate personal information, as it appears occurs in the case of gambling platforms.

Several third-party companies, including Signal, MediaMath, Facebook, Google and Microsoft, also received detailed behavioural data from SBG on activities, for example, when a cash amount had been deposited. Along with this data, several companies also received personal identifiers. Several companies also received the customer ID or the SBG username, whereas another company received data on every spin.

The report shows that intimate information about individual gambling behaviour was being processed and passed to third parties, including an individual’s full gaming history, completed bets, as well as dates and amounts of deposits and withdrawals. Information passed to third parties was used to build profiles about behaviour on gambling platforms, from favourite games and how often individuals stayed online to the percentage of how many marketing emails were read.

SBG deployed Signal, who processed up to 186 profile attributes relating to characteristics and behaviours. This extensive processing provides the framework for advanced profiling to be made on individual consumers. Individuals are unlikely to known that Signal is being used in this way by SBG, as SBG does not name Signal as a recipient of this personal information.

Marketing and risk surveillance tools have been developed that allow companies to access profiles of existing and potential customers. Those profiles are built on personal data and records of behaviour collected over various websites and platforms, as well as through other activity, and even information obtained offline.

These practices have created a network of interlinked actors that feed such data to each other, including online advertising businesses, data brokers and other companies. This information gleaned about individuals can subsequently be used for advertising and marketing targeted to individual vulnerabilities. While such advertising is usually seen through the prism of profit, that same technology can be used to maximise engagement.

Increased engagement is particularly acute in the online gambling context. Gambling disorder has been classified as a “behavioural addiction diagnosis”. Gambling can be addictive and can lead to a gambling disorder. Clean Up Gambling has chronicled how gambling disorders can lead to real-world harms.

Real-time monitoring of addictive behaviours allows for this vulnerability to be identified and exploited. In turn, awareness of such behaviours can be used to influence those addictive behaviours, through personalised offers and rewards. The potential for exploitation is aggravated where such profiles are updated in real-time based on an individual’s particular predilections.

This investigation has shown that specific companies’ websites have access to extensive amounts of personal data pertaining to behaviours of their customers. That personal data is often accessed by third-party companies, which use that information to enhance their own profiles of individuals.